IETF Logo Mail Archive

Re: [openpgp] Recap of the signature options [was: PQC signature algorithm selection]

Falko Strenzke <falko.strenzke@mtg.de> Tue, 05 March 2024 07:47 UTC

Return-Path: <falko.strenzke@mtg.de>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 31DB5C14F61D; Mon, 4 Mar 2024 23:47:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mtg.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y5YbsOiSkjTh; Mon, 4 Mar 2024 23:47:29 -0800 (PST)
Received: from www.mtg.de (www.mtg.de [IPv6:2a02:b98:8:2::2]) (using TLSv1.3 with cipher TLS_CHACHA20_POLY1305_SHA256 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 94146C14F616; Mon, 4 Mar 2024 23:47:27 -0800 (PST)
Received: from minka.mtg.de (minka [IPv6:2a02:b98:8:1:0:0:0:9]) by www.mtg.de (8.18.1/8.18.1) with ESMTPS id 4257lO7l026644 (version=TLSv1.3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256 verify=NOT); Tue, 5 Mar 2024 08:47:24 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mtg.de; s=mail201801; t=1709624844; bh=xMj0klGt2/qdlk0iVH+IWmaouuyFZyzrdVHfjLmh2S0=; h=Date:Subject:To:References:From:In-Reply-To; b=KiMkc/2TeuYH8xOpUlGF5jUkSDhF3vpNDK/xUoz/lu3yOBz3st3WqxOb2lxnuhxlE cqku0r9wnTx7y7UNSIT199NVLJjBe7rfjbE+5z2WmeyFiIWuhknMY2R/Av5xMhIkri 8PTdfJ0V0OgyLA4gSJh1xQLDOJz6i4LL2mbOESQ5tjRRwRG2sIzVERUK1FydRVHx99 CK7mF21gS9F9C8gp822gSKjadwnkMUzP/FTLpjlPepXfTVxlhpGtpGr2xiLMLs3bEd gpvU/fNjowcA4gEluUPSQGKhBkL3dmcAq6bqXgF+itqvFrLpvXVkhHzaJb8cv7Ezfw x369W3S+ar3Gw==
Received: from [10.8.0.100] (vpn-10-8-0-100 [10.8.0.100]) by minka.mtg.de (8.18.1/8.18.1) with ESMTPS id 4257lNCQ016234 (version=TLSv1.3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256 verify=NOT); Tue, 5 Mar 2024 08:47:23 +0100
Message-ID: <d73d09e3-c4d2-4181-a891-e0d01b441de1@mtg.de>
Date: Tue, 05 Mar 2024 08:47:22 +0100
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-GB
To: Simon Josefsson <simon=40josefsson.org@dmarc.ietf.org>, "openpgp@ietf.org" <openpgp@ietf.org>
References: <eSTNujDSQ-_B0YtGCoZ-6ZfZdrpf_m3_2mYpLag81M3m6AgB6QlTHsiZ5kM9c6kAfK-g62RKtdnjh0Azc_aqUCSS9XTj2d9HVlcWOBaiqVY=@wussler.it> <87v861y2yl.fsf@kaka.sjd.se>
From: Falko Strenzke <falko.strenzke@mtg.de>
In-Reply-To: <87v861y2yl.fsf@kaka.sjd.se>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-512"; boundary="------------ms020400050301030000090309"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/u8DHmhcyerqoYaLm0WQjzQnuptQ>
Subject: Re: [openpgp] Recap of the signature options [was: PQC signature algorithm selection]
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Mar 2024 07:47:34 -0000

Am 05.03.24 um 00:47 schrieb Simon Josefsson:
> The intention seems to achieve a SV property, am I reading this right?

No, at least not in my view. Could you please state what concrete threat 
should be thwarted by achieving simultaneous-verification (SV) in OpenPGP?

I personally cannot think of any system where achieving SV brings a 
benefit over strong non-separability. SV seems to attempt (that's a 
fact, it can't ensure, see further down) to prevent the verifier from 
aborting the signature verification after having verified only one 
signature. What I don't see is that the verifier ever needs to be or 
even can be protected from himself. If the verifier isn't a stakeholder 
for proper verification according to the protocol specifications, then 
how should a signature scheme that achieves SV prevent him from simply 
accepting just any signature without any signature verification at all? 
How is this principally different from verifying only one of the two 
signatures?

>
> I would feel more comfortable if PGP relied on a hybrid signature
> combiner scheme that offered SV as a cryptographic property rather than
> as a somewhat implicit protocol property.  And one that were specified
> generally and not just for PGP.
>
> One such scheme could be designed by replacing the two-part component
> signature values with just one value that is:
>
>     SHA3(Ed25519.signature
>          || Ed25519.publickey
>          || ML-DSA-87.signature
>          || ML-DSA-87.publickey
>          || context)

Can you please explain or reference this combiner? What is the signature 
creation, what the verification routine? You cannot possibly mean that 
the hash value replaces the signature because obviously there is no way 
for the verifier to compute the signatures...

- Falko

>
> and the verifier has to compare the computed signature against that
> value before being able to say ACK or NAK.
>
> I may be missing something fundamental here, so a question: Are there
> any fundamental reasons why a hybrid PQ/T signature scheme for PGP
> cannot rely on a opaque signature combiner (like the one that I
> suggested above, only better) that provides a SV guarantee?  Reversely:
> is there any reason PGP must use the separable two-value approach in
> section 6.3.1 of draft-ietf-openpgp-pqc?

Why do you claim it was separable? It is not separable because OpenPGP 
hashes the signature algorithm ID as part as meta data in the message 
digest calculation.

- Falko

>
> /Simon
>
> _______________________________________________
> openpgp mailing list
> openpgp@ietf.org
> https://www.ietf.org/mailman/listinfo/openpgp
-- 

*MTG AG*
Dr. Falko Strenzke
Executive System Architect

Phone: +49 6151 8000 24
E-Mail: falko.strenzke@mtg.de
Web: mtg.de <https://www.mtg.de>

<https://www.linkedin.com/search/results/all/?fetchDeterministicClustersOnly=true&heroEntityKey=urn%3Ali%3Aorganization%3A13983133&keywords=mtg%20ag&origin=RICH_QUERY_SUGGESTION&position=0&searchId=d5bc71c3-97f7-4cae-83e7-e9e16d497dc2&sid=3S5&spellCorrectionEnabled=false>
Follow us
------------------------------------------------------------------------
<https://www.mtg.de/de/aktuelles/MTG-AG-erhaelt-Innovationspreis-des-Bundesverbands-IT-Sicherheit-e.V-00001.-TeleTrust/> 
<https://www.itsa365.de/de-de/companies/m/mtg-ag>

MTG AG - Dolivostr. 11 - 64293 Darmstadt, Germany
Commercial register: HRB 8901
Register Court: Amtsgericht Darmstadt
Management Board: Jürgen Ruf (CEO), Tamer Kemeröz
Chairman of the Supervisory Board: Dr. Thomas Milde

This email may contain confidential and/or privileged information. If 
you are not the correct recipient or have received this email in error,
please inform the sender immediately and delete this email.Unauthorised 
copying or distribution of this email is not permitted.

Data protection information: Privacy policy 
<https://www.mtg.de/en/privacy-policy>

v2.23.0 | Report a Bug | By Email